Virtual Geek

Tales from real IT system administrators world and non-production environment

Install an SSL-TLS Certificate In Microsoft IIS web server

After Install and Configure IIS Web Server on Windows Server I wanted to add SSL/TLS certificate on web site on IIS web server, These are the step by step procedure to add certificate, Open Server Manager on windows server, from Tools click Internet Information Services (IIS) Manager

Microsoft windows server IIS web server Internet information services manager tools server manager add ssl tls certificate edit binding

In the IIS Manager click on the server and then go to Server Certificates and Open feature from Actions pane.

Microsoft windows web server IIS internet information services (IIS) Manager Server certificates open features worker processes http redirect isapi filters mime types vmware vsphere vcenter vami update patching.png

Next on the Server Certificates click the Create Certificate Request to generate CSR file.

Microsoft windows server internet information services IIS manager default web site application pools create certificate request complete certificate request create domain certificate self-signed renewed.png

Next fill up SSL certificate distingushed name properties. Specify the required information for the certificate, Common name, Organization unit, City/locality, State/province and Country/region information in the Request Certificate, State/province and City/locality must be specified as official names and they cannot contain abbreviations. On the Cryptographic Service provider properties select a cryptographic service provider and a bit length. The bit length of the encryption key determines the certificate's encryption strength. The greater the bit length, the stronger the security However, a greater bit length may decrease performance.

I kept selected Microsoft RSA SChannel Cryptographic Provider and Bit length is 2048.

Microsoft windows server web server IIS internet information services request certificate common name csr organization unit city locality state province country region cryptographic service schannel provider.png

Finally Specify the file name for the certificate request, this information can be sent to a certification authority for signing. I opened the CSR text file in the notepad, the content of the file will be required later, copy complete content from Begin to End.

Microsoft windows server internet information services iis web server request certificate certification authority begin end cert request code cer crt pfx.png

I have Microsoft Active Directory certificate services server setup in the lab Install and configure certificate authority (CA) on Microsoft Windows server with Group Policy, If you have any other CA (Certificate authority) you can use csr file to generate certificate. Open the CA server web address with certsrv suffix. Click on the request a certificate, next go to submit an advanced certificate request. Next Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. Click the CSR content in the textbox, In the last download certificate and save to file.

Microsoft active directory certificate services adcs advanced request a certificate base-64-encoded cmc or pkcs 10 7 renewal request der encoded downalod iis windows web server internet.png

Certificate is generated, go to IIS manager, On the IIS server Certificates click Complete Certificate Request in the Actions pane. Provide File name containing the certificattion authority's repsponse. and friendly name, I will keep the new certificate saved in the Personal my certificate store, click Ok button. Certificate will listed under Server Certificates now.

Internet information (IIS) Manager web server microsoft windows default web site complete certificate request specify certificate authority certificate store for the new certificate create domain self-signed certificate.png

I will apply the certificate to website, I have only one Default Web Site, Click the Bindings from Actions pane on the right hand side.

Microsoft windows server internet information (IIS) Manager default web site default document add ssl tls certificate bindings basic settings view applications virtual directories vmware vsphere.png

In the Site Bindings click Add button, in the Type select https from dropdown option and the latest SSL certificate we created.

Internet information IIS web server Site bindings http https port 80 443 ssl certificate tls ip address microsoft windows secure encryption data.png

New port is listed in the Site Bindings now, close it and on the Default web site right click, from the context menu, go to Manage Website >> Restart to take effect of the changes.

Microsoft Windows server site bindings http https 80 443 port web server iis internet information services manager ssl edit binding tls ip address manage website restart add virtual directory default web site.png

Verify website is running with https protocol, all looks good.

Microsoft windows web server IIS encrypted internet information services view ssl certificate tls https edit binding secure ca certification authority.png

Useful Articles
Generate new self-signed certificates for ESXi using OpenSSL
Push SSL certificates to client computers using Group Policy
Replacing a default ESXi certificate with a CA-Signed certificate
Troubleshooting replacing a corrupted certificate on Esxi server
How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi
How to replace default vCenter VMCA certificate with Microsoft CA signed certificate

Go Back


Blog Search

Page Views


Follow me on Blogarama